On Mon, May 4, 2015 at 3:35 PM, Dan Langille <dlangille@xxxxxxxxxxxxxx> wrote: > On Thu, Apr 30, 2015 at 4:23 PM, brian m. carlson > <sandals@xxxxxxxxxxxxxxxxxxxx> wrote: >> On Thu, Apr 30, 2015 at 04:14:12PM -0400, Dan Langille wrote: >>> Would this question be better suited for another list? >> >> Nope, this is the place to go. >> >>> On Wed, Apr 22, 2015 at 4:06 PM, Dan Langille <dlangille@xxxxxxxxxxxxxx> wrote: >>> > Hello, >>> > >>> > I'm using git 2.3.2 with Kerberos for authentication and gito-lite for >>> > authorization. >>> > >>> > This works: >>> > >>> > $ git clone https://dvl@ repo.example.org/git/testing >>> > Cloning into 'testing'... >>> > warning: You appear to have cloned an empty repository. >>> > Checking connectivity... done. >>> > >>> > My goal: have it work without supplying dvl@ as shown here: >>> > >>> > $ git clone https://repo.example.org/git/testing >>> > Cloning into 'testing'... >>> > Username for 'https://repo.example.org': >>> > >>> > I don't want to be prompted for a password. I want Kerberos to kick in. >>> > >>> > Following http://git-scm.com/docs/gitcredentials, the following seems to >>> > have nil effect. Anyone used this feature already? >>> > >>> > git config --global credential.https://repo.example.org.username dvl >>> > >>> > $ cat ~/.gitconfig >>> > [credential "https://repo.example.org";] >>> > username = dvl >>> > [http] >>> > sslCAInfo = /usr/local/etc/trusted-certificates.pem >>> > >>> > With the above, I still get prompted for a password >>> > >>> > Given my use of Kerberos for authorization, is this option feasible? >> >> Not at the present time. The only time that the credential API is >> invoked is if it prompts for a password, and by that point you've fallen >> back to Basic authentication. >> >>> > Should I be taking a different approach? >> >> If you want it to work only with Kerberos, then any username in the URL >> is fine, as libcurl doesn't care. > > That is what I found during testing. So long as I put a username in > the URL, Kerberos worked > and all authentication occurred as expected. As I understand it, in order to invoke Kerberos Authentication, a username must be in the URL, but that username is not involved in the authentication process. Thus, the username in the config is never applied to any URL and does not not work the same way as a username which appears in the URL. I suspect this is because a username in the URL invokes authentication, which prompts the whole Kerberos process. The best workaround I've found is this configuration item: [url "https://FOO@xxxxxxxxxxxxxxxx";] insteadOf = https://repo.example.org We'd be happy if we could set this as a global config setting and not have the users prompted for a password. The whole beauty of Kerberos is not getting prompted for stuff. Am I simply failing to comprehend the steps involved in Kerberos Authentication? What bits of code would need looking at in order for git authentication to work seamlessly with Kerberos? We are so close. -- Dan Langille Infrastructure & Operations Talos Group Sourcefire, Inc. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html